nmap
nmap [scan type] [options] {targets}
IPv4 address:
192.168.1.1
IPv6 address:
AABB:CCDD:FF%eth0
Host name:
www.target.com
IP address range:
192.168.0-255.0-255
CIDR block:
192.168.0.0/16
Input from list of hosts/networks:
-iL <filename>
-F
: scan 100 most popular ports-p<port1>-<port2>
: port range-p<port1>,<port2>,...
: port list-pU:53,U:110,T20-445
: mix TCP and UDP-r
: scan ports consecutively - don't randomize--top-ports <n>
: scan n most popular ports-p-65535
: leaving off initial ports make nmap scan start at port 1-p0-
: leaving off end port makes nmap scan up to port 65535-p
: leaving off start and end port makes nmap scan ports 1-65535-Pn
: treat all hosts as online -- skip host discovery-PB
: default probe (TCP 80, 445 & ICMP)-PS<port list>
: check wheter targets are up by probing TCP ports-PE
: use ICMP echo request.-PP
: use ICMP timestamp request.-PM
: use ICMP netmask request.-sn
: probe only (host discovery, not port scan)-sT
: TCP connect scan-sU
: UDP scan-sV
: version scan-O
: OS detection--scanflags
: set custom list of TCP using URGACKPSHRSTSYNFIN in asy order.-T0
: paranoid scan, a very slow scan (used for IDS evasion)-T1
: sneaky scan, excellent for avoiding firewalls (used for IDS evasion)-T2
: polite scan, unlikely to interfere with the target system (-10 times slower than default)-T3
: normal scan, the default NMAP timing template (based on target responsiveness)-T4
: aggressive scan, provides faster results on LANs (may overwhelm targets)-T5
: insane scan, a fast aggressive scan (will likely overwhelm targets or miss open ports)-oN
: standard nmap output-oG
: greppable format-oX
: XML format-oA <basename>
: generate nmap, greppable, and XML output files using basename for files--script
: specify a script to run on the target-sC
: equivalent to --script=default-n/-R
: never do DNS resolution/Always resolve [default: sometimes]-6
: use IPv6 only-A
: use several features, includinig OS detection, version detection, script scanning (default), and traceroute.--reason
: display reason nmap thinks port is open, closed, or filtered.--open
: only show open (or possibly open) ports-v
: increase verbosity level (use -vv or more for greater effect)nmap -sV {target ip}
nmap -sV -sC {target ip}
nmap -sV -sC -Pn {target ip}
nmap -sV --script http-enum -Pn {target ip}
nmap -p 445 --script vuln -Pn {target ip}
nmap -p 445 --script smb-vuln-* -Pn {target ip}
nmap -F -sV -sC -sU -T4 {target ip}
nmap -sV -sC -n --min-rate 1000 -T4 {target ip}
nmap -p- -sS --min-rate 5000 --open -vv -n -Pn {target ip}
# split the scan in two phases
ports=$(nmap -p- --min-rate 1000 -T4 -Pn {target ip} | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -p$ports -sV -sC -Pn {target ip}
Last modified 8mo ago